Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-13 Thread Fraser Tweedale 
Thanks for these details Wouter.

Logging at your CS.cfg, there is something wrong - the line:

subsystem.1.class=com.netscape.cmscore.profile.ProfileSubsystem

should be:

subsystem.1.class=com.netscape.cmscore.profile.LDAPProfileSubsystem

What is the history of this IPA server?  Was it a fresh
ipa-server-install on RHEL 7.2; an upgrade from an earlier version
of RHEL; or an ipa-replica-install from an IPA server of an earlier
release?  Could you check the following logfiles (whichever are
present) for errors?

/var/log/ipareplica-install.log
/var/log/ipaserver-install.log
/var/log/ipaupgrade.log

Anyhow, I suggest switching to LDAPProfileSubsystem in CS.cfg,
restarting PKI and then seeing if the problem still occurs.

Cheers,
Fraser


On Fri, Dec 11, 2015 at 09:04:26AM +, wouter.hummel...@kpn.com wrote:
> ipa-admintools.x86_64 
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> ipa-client.x86_64 
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> ipa-python.x86_64 
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> ipa-server.x86_64 
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> ipa-server-dns.x86_64 
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> ipa-server-trust-ad.x86_64
>4.2.0-15.el7   
> @rhel-x86_64-server-7
> 
> pki-base.noarch   
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> pki-ca.noarch 
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> pki-kra.noarch
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> pki-server.noarch 
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> pki-symkey.x86_64 
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> pki-tools.x86_64  
>   10.2.5-6.el7
> @rhel-x86_64-server-7
> 
> CrossCertPair._000=##
> CrossCertPair._001=## CrossCertPair Import
> CrossCertPair._002=##
> CrossCertPair.ldap=internaldb
> _000=##
> _001=## Certificate Authority (CA) Configuration File
> _002=##
> accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator
> admin.interface.uri=ca/admin/console/config/wizard
> agent.interface.uri=ca/agent/ca
> authType=pwd
> auths._000=##
> auths._001=## new authentication
> auths._002=##
> auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
> auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
> auths.impl.FlatFileAuth.class=com.netscape.cms.authentication.FlatFileAuth
> auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
> auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
> auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication
> auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
> auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
> auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
> auths.impl.UidPwdGroupDirAuth.class=com.netscape.cms.authentication.UidPwdGroupDirAuthentication
> auths.impl.UidPwdPinDirAuth.class=com.netscape.cms.authentication.UidPwdPinDirAuthentication
> auths.impl._000=##
> auths.impl._001=## authentication manager implementations
> auths.impl._002=##
> auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
> auths.instance.AgentCertAuth.pluginName=AgentCertAuth
> auths.instance.SSLclientCertAuth.plugi

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-13 Thread Natxo Asenjo 
On Fri, Dec 11, 2015 at 11:32 PM, Ranbir  wrote:

> On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> > what exactly do you want to achieve? 'Integrate' could mean a couple
> > of things, so please specify.
>




> I would like to move postfix and dovecot to use IPA for sasl auth and
> for managing the virtual mailboxes. I have a good idea of how this is
> all supposed to work together. What I need are the actual steps to get
> it done.
>

so what have you tried?

--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Service Accounts via IPA

2015-12-13 Thread Michael ORourke 
What we do is create a non-posix group in FreeIPA and apply a custom password policy, then join the users to that group.  Then login as the service account and reset the account's password to some random string.  But if you reset it through the UI, it will set the password to expire in 1 hour.  Also, you can "disable" the account from the FreeIPA UI or the command line, which appears to work too.  Here is a simple write up of how we setup service accounts in FreeIPA:1. Login to the FreeIPA UI as a user/admin with priviledges to add groups and password policies.2. First we will add a group. Click on Identity --> User Groups, then AddGroup name: svc_accountsDescription: Group used for Service AccountsGroup Type: NormalGID: (this will be blanked out)3. Next, add a new password policy (because you do NOT want to the password on service accounts expiring every 90 days)Policy --> Password Policies, then AddGroup: (select svc_accounts from dropdown box)Priority: 1Then click "Add and Edit", which will allow you more fields to populate.Max lifetime (days): 3650  (which gives you 10 years between password changes)4. Create a new service user account (we choose to use the prefix "svc_" for any new service accounts)Identity --> Users, then AddUser login: svc_testuserFirst Name: TestLast Name: UserNew Password: Foobar1  (easy to remember temp password)Verify Password: Foobar1Click on "Add and Edit", then click on "User Groups", AddAdd this user to the "svc_accounts" group.5. Now login as svc_testuser with temp password "Foobar1".Update the password to some long string of random characters (something you can set and forget).Logout6. Create any necessary sudo rules that allow regular users to switch to the svc_testuser account.7. Disable service account:From the FreeIPA UI, Go to Identity --> Users, then click on the svc_testuser user in the list.Then use the "select action" dropdown box to "Disable" the user account, click Apply.7. Done!-Mike-Original Message-
From: "Redmond, Stacy" 
Sent: Dec 10, 2015 1:24 PM
To: "freeipa-users@redhat.com" 
Subject: [Freeipa-users] Service Accounts via IPA














Generally I will lock a service account on linux so that the account cannot login, but users can sudo su – to that user.  As I don’t have access to the password field
 in free ipa, what are my options to set this up as a default for service accounts, or how can I modify individual accounts that need access to a system, but should not be able to login to the system.  Any help is appreciated.





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-13 Thread Sumit Bose 
On Sat, Dec 12, 2015 at 01:34:53PM +0100, Stefano Cortese wrote:
>   
>   
> This is expected because if either the principal or the user name is
> known to SSSD the localauth plugin will take control because by default
> the added modules are registered first (see [plugins] section of man
> krb5.conf for details).
> 
> To check auth_to_local_names first you can try
> 
>enable_only=names,k5login,sssd
> 
>   
> 
> It does not work for me. 
> Changed the snippet and made immutable, after sssd restart the
> behaviour is the same.
> It does not work also putting k5login or names alone.
> Note that the sssd version in SL6.7<->RHEL6.7  is  
> 1.12.4-47
> Should those keywords work in this version ?

ah, this is not related to the SSSD version, but to the version of MIT
Kerberos. SL/CentOS/RHEL 6.7 should have version 1.10.3 which already
has the new plugin interface but the localauth plugin was only released
in MIT Kerberos version 1.12.

bye,
Sumit

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] RHEL 7.2 update - ns-slapd replication keep alive entry

2015-12-13 Thread Orion Poplawski 
On 12/02/2015 01:42 PM, Andy Thompson wrote:
> Since updating to RHEL 7.2 I've got issues with ns-slapd hanging the system 
> up after a period of time.  The directory becomes unresponsive to searches or 
> any connections.  After a restart I see
> 
> [02/Dec/2015:15:27:41 -0500] - slapd started.  Listening on All Interfaces 
> port 389 for LDAP requests
> [02/Dec/2015:15:27:41 -0500] - Listening on All Interfaces port 636 for LDAPS 
> requests
> [02/Dec/2015:15:27:41 -0500] - Listening on /var/run/slapd-MHBENP-LIN.socket 
> for LDAPI requests
> [02/Dec/2015:15:27:44 -0500] NSMMReplicationPlugin - 
> agmt="cn=meTomdhixnpipa02.mhbenp.lin" (mdhixnpipa02:389): Replication bind 
> with GSSAPI auth resumed
> [02/Dec/2015:15:27:47 -0500] NSMMReplicationPlugin - replication keep alive 
> entry  already exists
> 
> In the logs and occasionally the keepalive entry message is seen a few times 
> and then eventually the ns-slapd taps the system.  100% util, system load 
> crawls up between 30 and 40 and eventually I have to restart the service to 
> get it to respond again.  Memory usage is normal, db and entry cache is 
> sufficient.. possibly a little on the high side but resource is sitting there 
> asking to be used :)
> 
> Running 389-ds-base-1.3.4.0-19.el7.x86_64 after the update yesterday.

I've not (yet) noticed any hangs in ns-slapd, although our system is not yet
really in production.  However I am seeing many of these "replication keep
alive entry" messages as well with the new version.  Can anyone speak to what
is causing these?


-- 
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

2015-12-13 Thread Jani West 

Hello,

Seems like I indeed have expired certs. The problem is, how I can renew 
these.


I tried to do:
---
root@ipa1 ca]# systemctl restart dirsrv.target
[root@ipa1 ca]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20150814121620', please check the 
request manually

---

I still have old certs:



Request ID '20150814121606':
status: CA_WORKING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Audit,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:26 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121614':
status: CA_WORKING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin='654666959930'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121618':
status: CA_WORKING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121621':
status: CA_WORKING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=IPA RA,O=PLANWEE.LOCAL
expires: 2015-09-29 20:23:10 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes

On 12/11/2015 10:23 AM, Martin Kosek wrote:

On 12/11/2015 08:31 AM, Jani West wrote:

Hello,

Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
server is starting ok when starting it directly with "systemctl start
dirsrv.target".

When starting "systemctl start ipa" everything else will startup exept
the
pki-tomcatd.

Obviously same thing happens when starting with ipactl directly:
[root@ipa1 ca]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


/var/log/pki/pki-tomcat/localhost.2015-12-11.log
SEVERE: Servlet.service() for servlet [caGetStatus] in context with
path [/ca]
threw exception java.io.IOException: CS server is not ready to serve.


/var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
[11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
Interfaces port
389 for LDAP requests
[11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[11/Dec/2015:01:02:19 +0200] - Listening on
/var/run/slapd-PLANWEE-LOCAL.socket
for LDAPI requests
[11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 107 (Tra

Re: [Freeipa-users] Any recent guides for Postfix and IPA integration?

2015-12-13 Thread Ranbir 
On Fri, 2015-12-11 at 22:13 +0100, Natxo Asenjo wrote:
> what exactly do you want to achieve? 'Integrate' could mean a couple 
> of things, so please specify. 

Ya, that was lame. Let me elaborate.

I have a postfix server and a dovecot server: both are running in
separate KVMs. They're on different subnets and they have a firewall in
between. I've opened up ports to allow them to talk to each other
because the postfix server is using dovecot for smtp auth and lmtp for
mail delivery. The dovecot users are in a password file. At the moment,
my mail setup is working perfectly.

I have a master IPA server on the same network as the dovecot box.
There's a replica IPA server on the postfix server's network. Both
servers are joined to the IPA domain although they are in different DNS
domains (which doesn't really matter here, I guess).

I would like to move postfix and dovecot to use IPA for sasl auth and
for managing the virtual mailboxes. I have a good idea of how this is
all supposed to work together. What I need are the actual steps to get
it done.

 
-- 
Ranbir


signature.asc
Description: This is a digitally signed message part
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Clean up DNS, Host, Cert and other records from IPA / IDM

2015-12-13 Thread Andrey Ptashnik 
Hello Team,

We have many servers in our environment that are on a different stage of their 
lifecycle. All of them are added to IPA domain. There are cases when servers 
gets moved, sometimes crash, sometimes are being rebuild or decommissioned. In 
those cases we need to completely remove server identity from IPA including 
DNS, Host, Certificate and other associated records.
What is the most proper way to completely remove client records in case if 
server needs to be rebuilt with the same host name down the road? (hardware 
failure happened, server crashed and needs to be rebuild – is a perfect 
example).

Regards,

Andrey Ptashnik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] IPA, autofs, kerberos

2015-12-13 Thread Cal Sawyer 

Hi

After getting autofs working using automountmaps in IPA, i've discovered 
that upon rebooting a client i have no automounts.  If i ssh into the 
client and obtain a ticket as admin, after restarting autofs (as root), 
I can once again see access automounted directories.  Until then, user 
logins which depend on network home mount consistently fail


Question is, how can this be made automatic on reboot?

thanks

- cal sawyer

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

2015-12-13 Thread Martin Kosek 

On 12/11/2015 08:31 AM, Jani West wrote:

Hello,

Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
server is starting ok when starting it directly with "systemctl start
dirsrv.target".

When starting "systemctl start ipa" everything else will startup exept the
pki-tomcatd.

Obviously same thing happens when starting with ipactl directly:
[root@ipa1 ca]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


/var/log/pki/pki-tomcat/localhost.2015-12-11.log
SEVERE: Servlet.service() for servlet [caGetStatus] in context with path [/ca]
threw exception java.io.IOException: CS server is not ready to serve.


/var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
[11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All Interfaces port
389 for LDAP requests
[11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[11/Dec/2015:01:02:19 +0200] - Listening on /var/run/slapd-PLANWEE-LOCAL.socket
for LDAPI requests
[11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interactive_bind - Error:
could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
-1 (Can't contact LDAP server) ((null)) errno 107 (Transport endpoint is not
connected)
[11/Dec/2015:01:02:19 +0200] slapi_ldap_bind - Error: could not perform
interactive bind for id [] authentication mechanism [GSSAPI]: error -1
(Can't contact LDAP server)

/var/log/pki/pki-tomcat/ca/debug
Internal Database Error encountered: Could not connect to LDAP server
host ipa1.backend.planwee.local port 636 Error netscape.ldap.LDAPException: IO
Error creating JSS SSL Socket (-1)

Environment:
CentOS 7
IPA 4.1

The problem looks the same as this:
https://access.redhat.com/solutions/2022123

Unfortunately I cannot view resolution.

is this related to expired CA certificates?


If you have expired certificates (you can check with "# getcert list | grep 
expires"), it could cause issues like that also.


The article you are referring to is rather around wrong CA certificate trust 
attributes in /var/lib/pki/pki-tomcat/alias/ or /etc/dirsrv/slapd-EXAMPLE-COM/ 
NSS databases.


You can check that with
# certutil -L -d /var/lib/pki/pki-tomcat/alias/
# certutil -L -d /etc/dirsrv/slapd-EXAMPLE-COM/

BTW, if you want to see the whole article or other articles from the large KB, 
I would suggest getting a subscription :-)


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Yum update broke CA/CS - pki-tomcatd not starting

2015-12-13 Thread Jani West 

Hello,

Seems like I indeed have expired certs. The problem is, how I can renew 
these.


I tried to do:
---
root@ipa1 ca]# systemctl restart dirsrv.target
[root@ipa1 ca]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20150814121620', please check the 
request manually

---

I still have old certs:



Request ID '20150814121606':
status: CA_WORKING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
	certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Audit,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:26 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121614':
status: CA_WORKING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB',pin='654666959930'
	certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=OCSP Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121618':
status: CA_WORKING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin='654666959930'
	certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=CA Subsystem,O=PLANWEE.LOCAL
expires: 2015-09-29 20:22:25 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"

track: yes
auto-renew: yes
Request ID '20150814121621':
status: CA_WORKING
stuck: no
	key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'

CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=PLANWEE.LOCAL
subject: CN=IPA RA,O=PLANWEE.LOCAL
expires: 2015-09-29 20:23:10 UTC
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes




On 12/11/2015 10:23 AM, Martin Kosek wrote:

On 12/11/2015 08:31 AM, Jani West wrote:

Hello,

Pki-tomcatd seems to have difficulties when connecting to CA. LDAP
server is starting ok when starting it directly with "systemctl start
dirsrv.target".

When starting "systemctl start ipa" everything else will startup exept
the
pki-tomcatd.

Obviously same thing happens when starting with ipactl directly:
[root@ipa1 ca]# ipactl start
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Aborting ipactl


/var/log/pki/pki-tomcat/localhost.2015-12-11.log
SEVERE: Servlet.service() for servlet [caGetStatus] in context with
path [/ca]
threw exception java.io.IOException: CS server is not ready to serve.


/var/log/dirsrv/slapd-PLANWEE-LOCAL/errors
[11/Dec/2015:01:02:19 +0200] - slapd started. Listening on All
Interfaces port
389 for LDAP requests
[11/Dec/2015:01:02:19 +0200] - Listening on All Interfaces port 636 for
LDAPS requests
[11/Dec/2015:01:02:19 +0200] - Listening on
/var/run/slapd-PLANWEE-LOCAL.socket
for LDAPI requests
[11/Dec/2015:01:02:19 +0200] slapd_ldap_sasl_interac

Re: [Freeipa-users] otpd heavy load?

2015-12-13 Thread Nathaniel McCallum 
On Thu, 2015-12-10 at 09:34 -0800, Janelle wrote:
> Hi,
> 
> Hope everyone is enjoying the holiday season. Been away for sometime,
> and wanted to jump in with a new question.  I am seeing otpd have
> high 
> resource usage (from just monitoring via top, sar and uptime)
> however, I 
> can not seem to find any logging from it, nor how I might be able to 
> enable some in order to find out why it is using so much CPU? Any 
> thoughts/suggestions?

Log messages should be available through journalctl.

Which libverto backend are you running? If you are on Fedora, please
provide the output of the 'rpm -qa libverto*' command.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA DNSSEC NSEC3PARAM record

2015-12-13 Thread Günther J . Niederwimmer 
Am Thursday 10 December 2015, 12:51:19 schrieb Petr Spacek:
> On 9.12.2015 14:40, Günther J. Niederwimmer wrote:
> > Hello,
> > 
> > I like to create a NSEC3PARAM Record but my tests are not working :-(.
> > 
> > Is there a documentation for this Problem I can't found a DOCU
> > 
> > My test is
> > 
> > I make a "Salt" with this
> > 
> > head -c 512 /dev/random | sha1sum | cut -b 1-16
> > x...
> > 
> > afterward i make with
> > ldns-nsec3-hash -t 10 -s xx x.com
> > x.
> > 
> > the result i like to insert in the WebUI but this is wrong ?
> > 
> > What is the correct syntax to create a NSEC3PARAM record?
> > 
> > Thanks for a answer,
> 
> Hello,
> 
> FreeIPA just passes the value to BIND, so standard syntax per
> http://tools.ietf.org/html/rfc5155#section-4.3
> should work.
> 
> I hope this helps.
;-)

I am not a Mathematic Professor to understand this ;-)

OK, I have to search again in World Wide Web to find a answer. 

-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeRadius and FreeIPA

2015-12-13 Thread Martin Kosek 
On 12/09/2015 03:52 PM, Randy Morgan wrote:
> Hello,
> 
> We are setting up our wireless to authenticate against FreeRadius and 
> FreeIPA. 
> I am looking for any instructions on how to integrate radius with IPA.  We can
> get them talking via kerberos, but when we have a wireless client attempt to
> authenticate against them, the password gets stripped out and only the 
> username
> gets passed on, resulting in a failed logon attempt.
> 
> As we have studied the problem we have identified the communication protocols
> used by wireless to pass on the user credentials to radius.  Wireless uses EAP
> as it's primary protocol.  We are running Xirrus wireless APs and from what we
> can learn, they act only as a pass through conduit for the client.  Ideally we
> would like them to speak PEAP TTLS, this would allow kerberos to process from
> the client to the IPA server, we are still researching this.
> 
> Are there any instructions on how to integrate FreeRadius 3.0.10 with FreeIPA
> 3.3.5?  Any help would be appreciated.
> 
> Randy

Hi,

What articles did you test so far? I did not try it myself, but google gives
out some idea:

http://readlist.com/lists/lists.freeradius.org/freeradius-users/13/69142.html

http://consultancy.edvoncken.net/index.php/HOWTO_Configure_Radius_with_an_IPA_Server

https://plus.google.com/104747154449640814740/posts/SxU8to5J2r6

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-13 Thread wouter.hummelink 
I did change profile Id as shown in the diff.  No other changes.



Verzonden vanaf mijn Samsung-apparaat


 Oorspronkelijk bericht 
Van: Fraser Tweedale 
Datum: 2015-12-10 04:04 (GMT+01:00)
Aan: "Hummelink, Wouter" 
Cc: freeipa-users@redhat.com
Onderwerp: Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

On Thu, Dec 10, 2015 at 12:58:05PM +1000, Fraser Tweedale wrote:
> On Thu, Dec 10, 2015 at 09:48:35AM +1000, Fraser Tweedale wrote:
> > On Wed, Dec 09, 2015 at 10:46:06AM +, wouter.hummel...@kpn.com wrote:
> > > Hello,
> > >
> > > Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> > >
> > > I've exported the default caIPAServiceCert profile and did the following 
> > > modification:
> > > < profileId=caIPAserviceCert
> > > ---
> > > > profileId=KPNWebhostingAEM
> > > 87c87
> > > < 
> > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > >  O=IPADOMAIN
> > > ---
> > > > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> > > >  OU=TESTAEM, O=IPADOMAIN
> > >
> > > Profile
> > >   Profile ID: KPNWebhostingAEM
> > >   Profile description: KPN Webhosting AEM
> > >   Store issued certificates: TRUE
> > >
> > > CAACL
> > >   ACL name: ING Intermediairs AEM Application Servers
> > >   Enabled: TRUE
> > >   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
> > >   Host Groups: xxx_accp_applications, xxx_prod_applications
> > >
> > > Trying to request a certificate for a server
> > > ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> > > /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> > >
> > > Results in:
> > > ipa-getcert list
> > > Number of certificates and requests being tracked: 1.
> > > Request ID 'mongo2':
> > > status: CA_UNREACHABLE
> > > ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> > > request, will retry: 4301 (RPC failed at server.  Certificate operation 
> > > cannot be completed: FAILURE (Policy Set Not Found)).
> > > stuck: no
> > > key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> > > certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> > > CA: IPA
> > > issuer:
> > > subject:
> > > expires: unknown
> > > pre-save command:
> > > post-save command:
> > > track: yes
> > > auto-renew: yes
> > >
> > > Since the same setup was working to request certificates on my lab 
> > > environment I'm at a loss what is causing the error.
> > >
> > > Met vriendelijke groet,
> > >
> > Hi Wouter,
> >
> > I'm looking into this; stay tuned.
> >
> OK, I could not reproduce.  Is the issue reproducible for you?  Did
> you execute the commands by hand or as part of a script?  Can you
> provide your PKI debug log (/var/log/pki/pki-tomcat/ca/debug/)?
>
Oh, and did you make any changes to the profile configuration
besides those you mentioned; the profileId and Subject Name pattern?

>
> Cheers,
> Fraser
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add "mkhomedir" after install

2015-12-13 Thread Martin Štefany 
Hello Ranbir, 

that installation option (as few more) just adjusts parameters passed to 
authconfig utility.

To enable automatic home directory creation later on, just issue:
# authconfig --enablemkhomedir --update

More info is in manual pages of authconfig or use authconfig --help


Kind regards, / S pozdravom,
Martin Štefany


On Dec 9, 2015 7:34 PM, Ranbir  wrote:
>
> Hello Everyone, 
>
> I installed a replica without passing the "mkhomedir" option to the 
> install command. Sure enough, when I login to the replica, my home dir 
> isn't created. I _could_ create it manually, but it would be nice if the 
> first login triggered the creation. 
>
> I've been trying to find an answer to this on my own, but so far I've 
> had no luck. 
>
> Thanks in advance! 
>
> -- 
> Ranbir 
>
> -- 
> Manage your subscription for the Freeipa-users mailing list: 
> https://www.redhat.com/mailman/listinfo/freeipa-users 
> Go to http://freeipa.org for more info on the project 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Certificate Profile - Policy Set Not Found

2015-12-13 Thread Fraser Tweedale 
On Wed, Dec 09, 2015 at 10:46:06AM +, wouter.hummel...@kpn.com wrote:
> Hello,
> 
> Im trying to import and use a certificate profile in IPAv4.2 on RHEL.
> 
> I've exported the default caIPAServiceCert profile and did the following 
> modification:
> < profileId=caIPAserviceCert
> ---
> > profileId=KPNWebhostingAEM
> 87c87
> < 
> policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
>  O=IPADOMAIN
> ---
> > policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> >  OU=TESTAEM, O=IPADOMAIN
> 
> Profile
>   Profile ID: KPNWebhostingAEM
>   Profile description: KPN Webhosting AEM
>   Store issued certificates: TRUE
> 
> CAACL
>   ACL name: ING Intermediairs AEM Application Servers
>   Enabled: TRUE
>   Profiles: KPNWebhostingServiceCertAEM, KPNWebhostingAEM
>   Host Groups: xxx_accp_applications, xxx_prod_applications
> 
> Trying to request a certificate for a server
> ipa-getcert request -r -I mongo2 -f /etc/pki/tls/certs/host.crt -k 
> /etc/pki/tls/certs/host.key  -TKPNWebhostingAEM
> 
> Results in:
> ipa-getcert list
> Number of certificates and requests being tracked: 1.
> Request ID 'mongo2':
> status: CA_UNREACHABLE
> ca-error: Server at https://pvlipa1001c.ipadomain/ipa/xml failed 
> request, will retry: 4301 (RPC failed at server.  Certificate operation 
> cannot be completed: FAILURE (Policy Set Not Found)).
> stuck: no
> key pair storage: type=FILE,location='/etc/pki/tls/certs/host.key'
> certificate: type=FILE,location='/etc/pki/tls/certs/host.crt'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> 
> Since the same setup was working to request certificates on my lab 
> environment I'm at a loss what is causing the error.
> 
> Met vriendelijke groet,
> 
Hi Wouter,

I'm looking into this; stay tuned.

Fraser

> Wouter Hummelink
> Cloud Engineer
> [Description: Beschrijving: Beschrijving: cid:image003.gif@01CC7CE9.FCFEC140]
> KPN IT Solutions
> Platform Organisation Cloud Services
> Mail: wouter.hummel...@kpn.com
> Telefoon: +31 (0)6 1288 2447
> [cid:image002.png@01D0DA65.706AE4B0]
> P Save Paper - Do you really need to print this e-mail?
> *
> KPN IT SOLUTIONS is de 'handelsnaam' voor KPN Corporate Market BV, 
> Handelsregister 52959597 Amsterdam
> The information transmitted is intended only for use by the addressee and may 
> contain confidential and/or privileged material.
> Any review, re-transmission, dissemination or other use of it, or the taking 
> of any action in reliance upon this information by persons
> and/or entities other than the intended recipient is prohibited. If you 
> received this in error, please inform the sender and/or addressee immediately
> and delete the material. Thank you.
> *
> 




> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Add "mkhomedir" after install

2015-12-13 Thread Craig White 
You can enable it at any time...

authconfig --enablemkhomedir --update

Craig White
System Administrator
O 623-201-8179   M 602-377-9752



SkyTouch Technology 4225 E. Windrose Dr. Phoenix, AZ 85032

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Ranbir
Sent: Wednesday, December 09, 2015 11:34 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Add "mkhomedir" after install

Hello Everyone,

I installed a replica without passing the "mkhomedir" option to the install 
command. Sure enough, when I login to the replica, my home dir isn't created. I 
_could_ create it manually, but it would be nice if the first login triggered 
the creation.

I've been trying to find an answer to this on my own, but so far I've had no 
luck.

Thanks in advance!

--
Ranbir

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Ldap search for enrolled boxes

2015-12-13 Thread Sean Hogan 

Thanks Robert,

 Appreciated


Sean Hogan
Security Engineer









From:   Rob Crittenden 
To: Sean Hogan/Durham/IBM@IBMUS, freeipa-users@redhat.com
Date:   12/07/2015 03:30 PM
Subject:Re: [Freeipa-users] Ldap search for enrolled boxes



Sean Hogan wrote:
> Hello,
>
> Does anyone have a ldapsearch syntax that will check the database for
> all enrolled hosts within IPA and ignore non-enrolled hosts? I am not
> familiar enough with the schema yet to know which containers contain
> what. I know there is a flag on the gui for enrolled or not so thinking
> its doable. Also.. any recommendations on a ldap query tool for use with
> IPA?

$ kinit admin
$ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com
"krbprincipalkey=*" dn

Any ldap query tool should work with IPA.

rob



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] yum update today broke ipa

2015-12-13 Thread Martin Basti 
Run upgrade manually, this is just error in checking function, obviously 
4.2.0-15.el7_2.3 is never than 4.2.0-15.el7


On 09.12.2015 17:21, Prasun Gera wrote:
Before I try this on the actual node, would it be better to roll back 
the last yum transaction ? I want to do whatever is safer.


On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti > wrote:




On 09.12.2015 16:32, Prasun Gera wrote:

Ran yum update today. Pulled in
https://rhn.redhat.com/errata/RHBA-2015-2562.html.

Seeing this error:

2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed,
exception: ScriptError: ("Unable to execute IPA upgrade: data are
in newer version than IPA (data version '4.2.0-15.el7', IPA
version '4.2.0-15.el7_2.3')", 1)
2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade: data
are in newer version than IPA (data version '4.2.0-15.el7', IPA
version '4.2.0-15.el7_2.3')", 1)
"/var/log/ipaupgrade.log" 54696L, 5389464C

ipactl won't start now. Luckily, I ran the update only on one
replica. The other node is still running.



Hello, this is not good, something terrible wrong happened with
parsing versions.

You can run upgrade with ipa-server-upgrade --skip-version-check
or --force




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] yum update today broke ipa

2015-12-13 Thread Prasun Gera 
Before I try this on the actual node, would it be better to roll back the
last yum transaction ? I want to do whatever is safer.

On Wed, Dec 9, 2015 at 8:14 AM, Martin Basti  wrote:

>
>
> On 09.12.2015 16:32, Prasun Gera wrote:
>
> Ran yum update today. Pulled in
> 
> https://rhn.redhat.com/errata/RHBA-2015-2562.html.
>
> Seeing this error:
>
> 2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed,
> exception: ScriptError: ("Unable to execute IPA upgrade: data are in newer
> version than IPA (data version '4.2.0-15.el7', IPA version
> '4.2.0-15.el7_2.3')", 1)
> 2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade: data are in
> newer version than IPA (data version '4.2.0-15.el7', IPA version
> '4.2.0-15.el7_2.3')", 1)
> "/var/log/ipaupgrade.log" 54696L, 5389464C
>
> ipactl won't start now. Luckily, I ran the update only on one replica. The
> other node is still running.
>
>
> Hello, this is not good, something terrible wrong happened with parsing
> versions.
>
> You can run upgrade with ipa-server-upgrade --skip-version-check or --force
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout

2015-12-13 Thread Jakub Hrozek 
On Wed, Dec 09, 2015 at 12:58:23PM +0100, Winfried de Heiden wrote:
>Hi all,
> 
>Using entry_cache_timeout to set different cache timeout for sssd works
>well. However, it doesn't seem to work for Trusted Domain Users (using AD
>trust)
> 
>I made some changes, cleaned the cache but expiry will stay on a (too
>long) 10 (ten!) hours!
> 
>How can I change the sssd cache timeout for Trusted AD users ? (using IPA
>4.1)
> 
>Kind regards!

(I thought I already replied but I don't see the reply on the list and
neither in my Sent folder. Apologies if this is a duplicate).

Since it's the IPA master that fetches the identity data from the AD
server, you also need to change the cache timeouts on the server. In
addition, the cache time lifetime is stored in the cache entry itself,
so you might want to invalidate the cache with sss_cache on both the
server and the client.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] yum update today broke ipa

2015-12-13 Thread Martin Basti 



On 09.12.2015 16:32, Prasun Gera wrote:
Ran yum update today. Pulled in 
https://rhn.redhat.com/errata/RHBA-2015-2562.html.


Seeing this error:

2015-12-09T15:21:02Z DEBUG The ipa-server-upgrade command failed, 
exception: ScriptError: ("Unable to execute IPA upgrade: data are in 
newer version than IPA (data version '4.2.0-15.el7', IPA version 
'4.2.0-15.el7_2.3')", 1)
2015-12-09T15:21:02Z ERROR ("Unable to execute IPA upgrade: data are 
in newer version than IPA (data version '4.2.0-15.el7', IPA version 
'4.2.0-15.el7_2.3')", 1)

"/var/log/ipaupgrade.log" 54696L, 5389464C

ipactl won't start now. Luckily, I ran the update only on one replica. 
The other node is still running.



Hello, this is not good, something terrible wrong happened with parsing 
versions.


You can run upgrade with ipa-server-upgrade --skip-version-check or --force
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trusted Domain Users - entry_cache_timeout

2015-12-13 Thread Jakub Hrozek 
On Wed, Dec 09, 2015 at 12:58:23PM +0100, Winfried de Heiden wrote:
>Hi all,
> 
>Using entry_cache_timeout to set different cache timeout for sssd works
>well. However, it doesn't seem to work for Trusted Domain Users (using AD
>trust)
> 
>I made some changes, cleaned the cache but expiry will stay on a (too
>long) 10 (ten!) hours!
> 
>How can I change the sssd cache timeout for Trusted AD users ? (using IPA
>4.1)
> 
>Kind regards!

Did you change the expiry on a client only or also on the server?

Keep in mind that for identity lookups, only the IPA masters are
connected to AD, the clients fetch data from IPA masters.
(Authentication, however, is done against AD DCs directly)

Another point to keep in mind is that the cache expiry is stored in the
objects themselves, so you might want to refresh the cache.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project